November 2025
BLOG POST
Why we invested in Tidal Cyber
by Marcos Osório
A Doctrine That Broke Down
For almost two decades, cybersecurity has lived under a deceptively simple doctrine: if we find and patch every software weakness, we will be safe. This vulnerability-centric mindset shaped how budgets were allocated, how teams were structured, and how tools were bought. It also created strong companies and real value – just look at the rise of vulnerability and exposure-management vendors industry.
Today, the limits of that doctrine are hard to ignore. The volume and speed of new vulnerabilities overwhelm even the best-resourced security teams. Boards and executives remain unconvinced that this activity translates into meaningful risk reduction. The math no longer works and everyone in the room knows it.
From Fixing Bugs to Understanding Attackers
In parallel, a different doctrine has been quietly taking over: threat-informed defense. At its core is a much more pragmatic idea: if you deeply understand the behaviors adversaries use to achieve their objectives, and you use that understanding to assess, shape and test your defenses, you can focus resources on a relatively small, stable set of things that matter. Instead of fighting an ocean of CVEs (Common Vulnerabilities and Exposures), you manage a sharper universe of tactics, techniques and procedures (TTPs).
Security leaders need something they usually do not have: the ability to see what truly matters in their environment and to place it in the right context. You do not know unless you can frame what you see against a coherent model of adversary behaviour and defensive capability. That model is what MITRE ATT&CK provides – turning it into an operational system is what Tidal Cyber does – and it is the main reason we at Bright Pixel chose to invest in Tidal Cyber.
Vulnerabilities and TTPs are not the same thing. Vulnerabilities are discrete weaknesses; TTPs are the patterns attackers use to move from initial access to impact. The non-obvious, critical point is that most behaviours in MITRE ATT&CK do not depend on an exploitable CVE. Phishing, credential theft, abuse of legitimate tools, stealthy lateral movement and data exfiltration frequently unfold without a single unpatched vulnerability. Meanwhile, vulnerability-centric approaches are drowning in their own complexity: lists grow, scoring gets cleverer, automation pipelines multiply – but the signal-to-noise ratio for CISOs does not materially improve. And this is a problem. TTPs, by contrast, evolve at a slower, more manageable pace and are a far better backbone for organizing defences and spend.
At Bright Pixel, we believe security organizations need more security engineering, not more random tooling. Thinking precedes tooling. In practice, that means working through the threat model first, understanding where revenue is truly exposed, and only then deciding what to buy, what to tune and what to retire. This becomes non-negotiable as we enter what we see as the year of CISO fiscal accountability, where boards want hard links between spend and revenue protection, not just maturity scores or another shinny dashboard.
The Question That Really Matters
This pressure crystallizes around one deceptively simple question: “Can we defend X against Y?” – where X is a business unit, system or regulated environment, and Y is a class of adversary or a set of TTPs. Today, answering that rigorously is slow, manual and expensive. Weeks of mapping, interviews and spreadsheets typically produce a partial, fragile answer based on a mix of evidence and guesswork. Ironically, this is the only question that budget holders really care about in a pragmatic sense – and it is exactly the question Tidal Cyber is built to answer continuously, not once a year.
Tidal Cyber ingests and prioritizes the TTPs that matter most for a given organization, maps them to MITRE ATT&CK and MITRE ATLAS as AI-related threats grow, and then maps atomic product capabilities – detections, controls, policies – from hundreds of vendors to those behaviours. The result is a live, MITRE-native picture of which adversary behaviours the current stack can detect or block, where the coverage gaps are, and which changes will have the highest impact. Recommendations are often about better using what is already paid for: tuning tools, enabling latent features, fixing configurations. Sometimes they involve new controls, but the objective is always the same: optimize spend against real threat coverage, not noise.
Customers tell us this dramatically changed the way they operate: silos between threat intel, red/purple, engineering and the SOC start to break down; tedious mapping work is automated; smaller teams run bigger programs with more discipline; continuous, data-driven reviews replace sporadic posture reports; and board conversations move from static slide decks to live dashboards that can answer “can we defend X against Y?” on demand.
Where Cybersecurity Is Really Going
Combined with the founders’ deep MITRE pedigree and a capital-efficient trajectory in a noisy CTEM (Continuous Threat Exposure Management) landscape, this is why we believe Tidal Cyber sits exactly where the industry is going: away from the illusion of patch-everything, and towards a threat-informed, fiscally accountable way of running security.
